Problems using an Alias

Hello people, I’m having problems trying to use this Alias:

bp nt!NtCreateFile “as /mu ${/v:Alias1} @@C++(((_UNICODE_STRING*)((_OBJECT_ATTRIBUTES*)@@masm(poi(esp+0ch)))->ObjectName)->Buffer); .echo "${Alias1}";”

It doesn’t show the backslashes:

kd> g
??C:WINDOWSHelpmpconcepts.chm
nt!NtCreateFile:
8056e27c 8bff mov edi,edi

also it is not updating the value, I mean it shows the same value, how can I resolve this? thanks.

Buffer is pointer to wchar_t not UNICODE_STRING

0:000> .printf “%x %y %mu\n”, @eip,@eip,@@c++( (wchar_t *)(((
ntdll!_OBJECT_ATTRIBUTES * ) @@masm(poi(@esp+c)) )->ObjectName)->Buffer)
7c90d0ae ntdll!ZwCreateFile (7c90d0ae) ??\C:\WINDOWS\WindowsShell.Manifest

On Thu, Dec 18, 2014 at 3:22 AM, wrote:
>
> Hello people, I’m having problems trying to use this Alias:
>
> bp nt!NtCreateFile “as /mu ${/v:Alias1}
> @@C++(((_UNICODE_STRING*)((_OBJECT_ATTRIBUTES*)@@masm(poi(esp+0ch)))->ObjectName)->Buffer);
> .echo "${Alias1}";”
>
> It doesn’t show the backslashes:
>
> kd> g
> ??C:WINDOWSHelpmpconcepts.chm
> nt!NtCreateFile:
> 8056e27c 8bff mov edi,edi
>
> also it is not updating the value, I mean it shows the same value, how can
> I resolve this? thanks.
>
>
>
>
> —
> WINDBG is sponsored by OSR
>
> OSR is hiring!! Info at http://www.osr.com/careers
>
> For our schedule of WDF, WDM, debugging and other seminars visit:
> http://www.osr.com/seminars
>
> To unsubscribe, visit the List Server section of OSR Online at
> http://www.osronline.com/page.cfm?name=ListServer
>

alias needs to be evaluated everytime so it needs to be inside .block{}
when you set .echo ${filename} in a breakpoint it gets evaluated
immediately and replaced thne and there so you get the same filename
you may confirm this with bl

you will notice the breakpoint blah!foo “” not bp blah!foo alias

if printing the name of the file is your need you can set a breakpoint as below

0:000> bl
0:000> al
No aliases
0:000> bp ntdll!ZwCreateFile “.printf "%mu\n" ,@@c++( (wchar_t
)((( ntdll!_OBJECT_ATTRIBUTES * )
@@masm(poi(@esp+c)))->ObjectName)->Buffer) ;"
0:000> bl
0 e 7c90d0ae 0001 (0001) 0: **** ntdll!ZwCreateFile “.printf
"%mu\n" ,@@c++( (wchar_t )((( ntdll!_OBJECT_ATTRIBUTES * )
@@masm(poi(@esp+c)))->ObjectName)->Buffer) ;"
0:000> g
ModLoad: 5cb70000 5cb96000 C:\WINDOWS\system32\ShimEng.dll
??\C:\WINDOWS\WindowsShell.Manifest
ntdll!ZwCreateFile:
7c90d0ae b825000000 mov eax,25h
0:000> g
ModLoad: 5ad70000 5ada8000 C:\WINDOWS\system32\uxtheme.dll
ModLoad: 4b400000 4b486000 C:\WINDOWS\system32\MSFTEDIT.DLL
ModLoad: 763b0000 763f9000 C:\WINDOWS\system32\comdlg32.dll
ModLoad: 77b40000 77b62000 C:\WINDOWS\system32\appHelp.dll
??\C:\Program Files\AVAST Software\Avast\ashShell.dll
ntdll!ZwCreateFile:
7c90d0ae b825000000 mov eax,25h
0:000> bp ntdll!ZwCreateFile ".printf "%mu\n" ,@@c++( (wchar_t
)((( ntdll!_OBJECT_ATTRIBUTES * )
@@masm(poi(@esp+c)))->ObjectName)->Buffer) ;gc”
breakpoint 0 redefined
0:000> g
\SystemRoot\AppPatch\sysmain.sdb
\SystemRoot\AppPatch\systest.sdb
\Device\NamedPipe\ShimViewer

On 12/18/14, raj_r wrote:
> Buffer is pointer to wchar_t not UNICODE_STRING
>
> 0:000> .printf “%x %y %mu\n”, @eip,@eip,@@c++( (wchar_t )(((
> ntdll!_OBJECT_ATTRIBUTES * ) @@masm(poi(@esp+c)) )->ObjectName)->Buffer)
> 7c90d0ae ntdll!ZwCreateFile (7c90d0ae) ??\C:\WINDOWS\WindowsShell.Manifest
>
>
> On Thu, Dec 18, 2014 at 3:22 AM, wrote:
>>
>> Hello people, I’m having problems trying to use this Alias:
>>
>> bp nt!NtCreateFile "as /mu ${/v:Alias1}
>> @@C++(((_UNICODE_STRING
)((_OBJECT_ATTRIBUTES
)@@masm(poi(esp+0ch)))->ObjectName)->Buffer);
>> .echo "${Alias1}";”
>>
>> It doesn’t show the backslashes:
>>
>> kd> g
>> ??C:WINDOWSHelpmpconcepts.chm
>> nt!NtCreateFile:
>> 8056e27c 8bff mov edi,edi
>>
>> also it is not updating the value, I mean it shows the same value, how
>> can
>> I resolve this? thanks.
>>
>>
>>
>>
>> —
>> WINDBG is sponsored by OSR
>>
>> OSR is hiring!! Info at http://www.osr.com/careers
>>
>> For our schedule of WDF, WDM, debugging and other seminars visit:
>> http://www.osr.com/seminars
>>
>> To unsubscribe, visit the List Server section of OSR Online at
>> http://www.osronline.com/page.cfm?name=ListServer
>>
>

Thanks but that didn’t resolve my problem, I think that it’s a problem with my Alias, it shows the text “${Alias1}” not the value (file path), then when I execute the command again, it shows “DeviceTcp6” without backslashes, the result is the same, any idea?

kd> bp nt!NtCreateFile “as /mu ${/v:Alias1} @@c++((wchar_t *)(((_OBJECT_ATTRIBUTES*)@@masm(poi(@esp+c)))->ObjectName)->Buffer); .echo "${Alias1}";”
kd> g
${Alias1}
nt!NtCreateFile:
8056e27c 8bff mov edi,edi
kd> g
${Alias1}
nt!NtCreateFile:
8056e27c 8bff mov edi,edi
kd> g
${Alias1}
nt!NtCreateFile:
8056e27c 8bff mov edi,edi
kd> g
${Alias1}
nt!NtCreateFile:
8056e27c 8bff mov edi,edi
kd> bp nt!NtCreateFile “as /mu ${/v:Alias1} @@c++((wchar_t *)(((_OBJECT_ATTRIBUTES*)@@masm(poi(@esp+c)))->ObjectName)->Buffer); .echo "${Alias1}";”
breakpoint 0 redefined
kd> g
DeviceTcp6
nt!NtCreateFile:
8056e27c 8bff mov edi,edi
kd> g
DeviceTcp6
nt!NtCreateFile:
8056e27c 8bff mov edi,edi
kd> g
DeviceTcp6
nt!NtCreateFile:
8056e27c 8bff mov edi,edi

Thanks about .block and Alises. I’m trying to run this command:
bp nt!NtCreateFile “as /mu ${/v:Alias1} @@c++((wchar_t *)(((_OBJECT_ATTRIBUTES*)@@masm(poi(@esp+c)))->ObjectName)->Buffer);.block{.if($scmp("${Alias1}","??\C:\test.txt") == 0){.echo file found: "${Alias1}"} .else{.echo not found: "${Alias1}"; g;}};”

but sometimes I get this error:
Syntax error at ‘(“\DEVICE\HARDDISKVOLUME1",”??C: est.txt") == 0){.echo file found: "\DEVICE\HARDDISKVOLUME1"} .else{.echo not found: "\DEVICE\HARDDISKVOLUME1"; g;}’
nt!NtCreateFile:
8056e27c 8bff mov edi,edi

That Syntax Error is an Annoying thing i encountered too when i dealt
with $scmp()
it appeared to be because of the Trailing \ (backSlash) in the Path
being Treated as an Escape for “” Terminating DoubleQuote thus
Rendering the String Open Without a Closing Double quote
i think i sent a feedback to windbgfb then not sure if it was fixed in
later drops.
if you are on an older windbg check with the latest ones
http://www.osronline.com/showthread.cfm?link=233096

since that time i dropped using $scmp as it appeared to be too buggy
or cumbursome

and hacked up an extension that compares the !obja->name with a given string.
the code for the extension follows and a simple usage Scenario follows code

see if that helps

untested code it appeared to work in the specific machine at the
specific time i used it
use with caution if you find any bugs / or improved this code feedback
will be appreciated.

#include <engextcpp.hpp>
class EXT_CLASS : public ExtExtension { public: EXT_COMMAND_METHOD(cmpstr); };
EXT_DECLARE_GLOBALS();
EXT_COMMAND( cmpstr, “Compare Unicode Strings Pointed By
OBJECT_ATTRIBUTES->ObjectName->Buffer\nExtension hijacks Pseudo
Register $t19”,
“{v;b;;verbose
mode}{o;e,o,d=poi(poi(poi(@esp+0xc)+8)+4);(obja->Buffer );(wchar_t
)}{i;x;Input string;Duly Escaped Filepath}”) {
m_Control->Execute(DEBUG_OUTCTL_ALL_CLIENTS,“r $t19 =
0”,DEBUG_EXECUTE_DEFAULT);
PCSTR cmpstr = GetArgStr(“i”,TRUE);
ULONG64 offset = GetArgU64(“o”,FALSE);
bool verbose = HasArg(“v”);
if ( cmpstr != 0 ) {
ExtRemoteData data ( “str2comp”,offset,2048 );
wchar_t widebuff[1024] = {0};
char buff[1024] = {0};
data.GetString(widebuff,1024,1024,FALSE);
if ( verbose ) {
dprintf(“%S is being opened\n”,widebuff);
}
wcstombs(buff,widebuff,1024 );
// +2 +1 etc hack to account for “” (DoubleQuote) GetArgStr
gets a String that includes
// “” (DoubleQuote) While ExtRemoteData::GetString() Retrieves
it without “”
if( (strlen(cmpstr)-2) == strlen(buff) ) {
if( ( _strnicmp(buff,cmpstr+1,(strlen(cmpstr)-2))) != 0) {
m_Control->Execute(DEBUG_OUTCTL_ALL_CLIENTS,“r $t19 =
0”,DEBUG_EXECUTE_DEFAULT);
} else {
m_Control->Execute(DEBUG_OUTCTL_ALL_CLIENTS,“r $t19 =
1”,DEBUG_EXECUTE_DEFAULT);
Dml(“%S is being opened\n”,widebuff);
}
}
}
}

kd> .load cmpstr

kd> !help cmpstr

!cmpstr [/v] [/o <(obja->Buffer *)>] [/i ]
/v - verbose mode
/o <(obja->Buffer *)> - (wchar_t *) (defaults to poi(poi(poi(@esp+0xc)+8)+4))
/i - Duly Escaped Filepath (consumes remainder of input string)
Compare Unicode Strings Pointed By OBJECT_ATTRIBUTES->ObjectName->Buffer
Extension hijacks Pseudo Register $t19

kd> bp nt!NtCreateFile “!cmpstr /i
"\??\C:\WINDOWS\system32\calc.exe"; .if(@$t19 != 1) {gc}”

kd> bl
0 e 8056f864 0001 (0001) nt!NtCreateFile “!cmpstr /i
"\??\C:\WINDOWS\system32\calc.exe"; .if(@$t19 != 1) {gc}”

kd> g
??\C:\WINDOWS\system32\calc.exe is being opened
nt!NtCreateFile:
8056f864 8bff mov edi,edi
kd> g
??\C:\WINDOWS\system32\calc.exe is being opened
nt!NtCreateFile:
8056f864 8bff mov edi,edi
kd> g
??\C:\WINDOWS\system32\calc.exe is being opened
nt!NtCreateFile:
8056f864 8bff mov edi,edi
kd> g

Break instruction exception - code 80000003 (first chance)

kd> bp nt!NtCreateFile “!cmpstr /v /i
"\??\C:\WINDOWS\system32\calc.exe"; .if(@$t19 != 1) {gc}”
breakpoint 0 redefined
kd> bl
0 e 8056f864 0001 (0001) nt!NtCreateFile “!cmpstr /v /i
"\??\C:\WINDOWS\system32\calc.exe"; .if(@$t19 != 1) {gc}”

kd> g
??\C:\WINDOWS\WinSxS\Policies\x86_Policy.6.0.Microsoft.Windows.Common-Controls_6595b64144ccf1df_x-ww_5ddad775\6.0.2600.5512.Policy
is being opened
??\C:\WINDOWS\WinSxS\Manifests\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.5512_x-ww_35d4ce83.Manifest
is being opened
??\C:\WINDOWS\WinSxS\Manifests\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.5512_x-ww_35d4ce83.Manifest
is being opened
??\C:\WINDOWS\WindowsShell.Manifest is being opened
??\C:\WINDOWS\WinSxS\Policies\x86_Policy.6.0.Microsoft.Windows.Common-Controls_6595b64144ccf1df_x-ww_5ddad775\6.0.2600.5512.Policy
is being opened
??\C:\WINDOWS\WinSxS\Manifests\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.5512_x-ww_35d4ce83.Manifest
is being opened
??\C:\WINDOWS\WinSxS\Manifests\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.5512_x-ww_35d4ce83.Manifest
is being opened
Break instruction exception - code 80000003 (first chance)

On 12/18/14, xxxxx@hotmail.com wrote:
> Thanks about .block and Alises. I’m trying to run this command:
> bp nt!NtCreateFile “as /mu ${/v:Alias1} @@c++((wchar_t
> )(((_OBJECT_ATTRIBUTES)@@masm(poi(@esp+c)))->ObjectName)->Buffer);.block{.if($scmp("${Alias1}","??\C:\test.txt")
> == 0){.echo file found: "${Alias1}"} .else{.echo not found: "${Alias1}";
> g;}};”
>
> but sometimes I get this error:
> Syntax error at ‘(“\DEVICE\HARDDISKVOLUME1",”??C: est.txt") == 0){.echo
> file found: "\DEVICE\HARDDISKVOLUME1"} .else{.echo not found:
> "\DEVICE\HARDDISKVOLUME1"; g;}’
> nt!NtCreateFile:
> 8056e27c 8bff mov edi,edi
>
>
>
>
> —
> WINDBG is sponsored by OSR
>
> OSR is hiring!! Info at http://www.osr.com/careers
>
> For our schedule of WDF, WDM, debugging and other seminars visit:
> http://www.osr.com/seminars
>
> To unsubscribe, visit the List Server section of OSR Online at
> http://www.osronline.com/page.cfm?name=ListServer
></engextcpp.hpp>

Many thanks, I’ll check.